Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e5c739ce8a7c6c1…

MALICIOUS

PDF

34.9 KB Created: 2018-06-11 09:19:55 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-09-24
MD5: 098ac6f513dc3c13302c67c2a3d787f3 SHA-1: b76f38a7232d09573ed84d5262356b6df1dd8389 SHA-256: 9e5c739ce8a7c6c1a036e1975aa430aed50501570b893e5e02bcc105a3269170
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains embedded URLs and a document body that mimics a search result or download page for Toyota Hilux engine information. The presence of a high-confidence ML classifier firing and an external URI pointing to a suspicious domain suggests a malicious download attempt. The document body includes multiple instances of the URL http://uncpbisdegree.com/download3.php?q=toyota-hilux-4y-engine.pdf, which is likely the intended malicious payload delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9062

Heuristics 4

  • Fake 'free download' SEO-poisoning PDF critical PDF_SEO_FAKE_DOWNLOAD
    The ML classifier flagged this PDF AND it carries a visual download/call-to-action lure AND an off-domain server-side download-gateway link whose query string names a document payload. This three-signal conjunction is the fake-document / 'free PDF download' SEO-poisoning delivery pattern: the page is padded with benign decoy links to dilute classifier scores while funnelling the victim through the gateway to malware/scareware. Acting only on the conjunction keeps benign download-bearing PDFs from being misflagged.
  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=toyota-hilux-4y-engine.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=toyota-hilux-4y-engine.pdfIn PDF document text
    • http://www.winchbooks.com.au/toyota-hilux-workshop-repair-manual/In PDF document text
    • http://www.motore.com.au/toyota-hilux-repair-and-workshop-manuals/In PDF document text
    • http://www.truckjungle.com/2011/11/10/toyota-hilux-1968-2011/In PDF document text
    • https://www.olx.co.za/car-parts-accessories_c377/q-4y-engineIn PDF document text
    • http://www.roughtrax4x4.com/genuine-toyota-diesel-engine-oil-filter.htmlIn PDF document text
    • http://www.megalawbooks.com/toyota-hilux-diesel-workshop-manual-1990.pdfIn PDF document text
    • http://www.motore.com.au/download-toyota-engine-workshop-repair-manuals/In PDF document text
    • http://www.roughtrax4x4.com/In PDF document text
    • http://www.hilux4x4.co.za/views/viewtopic.php?t=4571In PDF document text
    • http://www.hilux4x4.co.za/views/viewforum.php?f=27In PDF document text
    • http://www.hilux4x4.co.za/views/viewforum.php?f=3In PDF document text
    • https://www.enginesplus.com.au/toyotahino/In PDF document text
    • http://www.toyota-car-parts.co.za/get-listed/In PDF document text
    • http://www.lextreme.co.za/toyota-engines-2/In PDF document text
    • http://www.safarisnorkel.com/docs/snorkel/toyota.htmlIn PDF document text
    • http://www.brian894x4.com/Hiluxengines.htmlIn PDF document text
    • http://www.toyota-car-parts.co.za/toyota-engines-sale-south-africa/In PDF document text
    • http://daemon4x4.org/portal/downloads.php?dcid=17In PDF document text
    • http://www.hilux4x4.co.za/views/viewtopic.php?t=916In PDF document text
    • http://www.hilux4x4.co.za/views/viewforum.php?f=8In PDF document text
    • http://tonmaxenginesscc.co.za/engines.htmlIn PDF document text
    • http://uncpbisdegree.com/1/shadow-club-rising.pdfIn PDF document text
    • http://uncpbisdegree.com/1/seminarios-clinicos-y-cuatro-textos.pdfIn PDF document text
    • http://uncpbisdegree.com/1/spa-and-health-tourism.pdfIn PDF document text
    • http://uncpbisdegree.com/1/software-for-network-diagram.pdfIn PDF document text
    • http://riverside-resort.net/1/volvo-v70-wiring-diagram-rear-wiper.pdfIn PDF document text
    • http://riverside-resort.net/1/why-mrs-blake-cried-william-blake-and-the-erotic-imagination.pdfIn PDF document text
    • http://uncpbisdegree.com/1/taking-sides-clashing-views-on-legal-issues-expanded-by-m-ethan.pdfIn PDF document text
    • http://uncpbisdegree.com/1/sharp-lc40f22e-user-manual.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-best-ever-ring-bearer-all-the-best-things-about-being-in-a-wedding.pdfIn PDF document text
    • http://uncpbisdegree.com/1/storytown-smartboard-lessons-grade-2.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://en.wikipedia.org/wiki/Toyota_Y_engineIn PDF document text
    • http://www.answers.com/Q/Complete_torque_and_valve_settings_for_a_Toyota_Hilux_2.4D_2L_Engine_flywheel_boltsIn PDF document text
    • http://www.answers.com/Q/FAQ/1121In PDF document text
    • http://www.answers.com/Q/FAQ/980In PDF document text
    • https://en.wikipedia.org/wiki/Toyota_4RunnerIn PDF document text
    • https://www.gumtree.co.za/s-toyota+hilux+2.4d/v1q0p1In PDF document text
    • https://www.gumtree.co.za/s-toyota+hilux+kzte/page-2/v1q0p2In PDF document text
    • https://www.aliexpress.com/item/new-replacement-carburetor-NIKKI-711-style-4Y-Toyota-Hilux-Dyna-Delta/2029485768.htmlIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d64.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4D64 9888 bytes
SHA-256: 9612a03c28e34e56a3d9bf09f92315ffaee1d21ff499aaa7aa33da12b0aa81f7
font_01_sfnt_off00006d0a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6D0A 7060 bytes
SHA-256: 81b516951880692b60182f89419d2d13256e1e0f1f9e0430ce70f65b3fbb6768